Secure Deterministic Communication Without Entanglement

Secure Deterministic Communication Without Entanglement Marco Lucamarini1 and Stefano Mancini2 1

Dipartimento di Fisica, Universit` a di Roma “La Sapienza”, I-00185 Roma, Italy. 2 Dipartimento di Fisica, Universit` a di Camerino, I-62032 Camerino, Italy. (Dated: February 1, 2008)

arXiv:quant-ph/0405083v3 24 May 2004

We propose a protocol for deterministic communication that does not make use of entanglement. It exploits nonorthogonal states in a two-way quantum channel attaining significant improvement of security and efficiency over already known cryptographic protocols. The presented scheme, being deterministic, can be devoted to direct communication as well as to key distribution, and its experimental realization is feasible with present day technology. PACS numbers: 03.67.Dd, 03.65.Hk

In a recent paper Bostr¨om and Felbinger [1] presented a scheme to have “Secure Deterministic Communication using Entanglement”. The idea is an original revisiting of the “Quantum Dense Coding” [2]. They called the protocol “Ping-Pong” (PP) for its peculiarity of a “forward and backward” use of the quantum channel. With respect to Bennett and Brassard’s scheme (BB84) [3], the main advantage of PP is its deterministic nature, that permits Quantum Direct Communication (QDC) as well as Quantum Key Distribution (QKD). Unfortunately it was proved to be not completely secure [4, 5]. We describe here a communication protocol that combines the main advantages of PP and BB84, while avoiding their drawbacks, and we termed it PP84 [6]. The general idea is summarized in Fig.1. A character, traditionally called Bob, prepares a qubit in one of the four randomly chosen states |0i, |1i (eigenstates of Pauli operator Z), |+i, |−i (eigenstates of Pauli operator X), and sends it to his counterpart Alice. With probability (c) Alice measures the prepared state (control mode) or, with probability (1 − c), she uses it to encode a bit (encoding mode). After that she will send the qubit back to Bob. Encoding is represented by a transformation on qubit state rather than by qubit state itself: identity operation I encodes 0, while operation iY = ZX encodes 1. Notice that iY acts as a spin-flip on all the beginning states: iY (|0i , |1i) = (− |1i , |0i) iY (|+i , |−i) = (|−i , − |+i)

(1)

In this way Alice does not need to know the incoming state to perform the encoding. In turn Bob can easily decode Alice’s message by measuring the qubit in the same basis he prepared it. This feature makes the protocol deterministic: no qubits are discarded because of a wrong choice of the basis. To make a QDC it suffices that Alice performs transformations according to the message she wants to send out, while for a QKD the sequence of transformations will be random. Moreover the absence of any public discussion concerning qubit basis in the encoding-decoding procedure gives an eavesdropper (Eve) no classical information about qubit state, prevent-

ALICE

PREPARATION

1 →

0

Z + − →X

E1

C

1–C

ENCODING

I = iY =

EVE

BOB

0 1 CONTROL

Z or X DECODING

I iY

= 0 = 1

E2

FIG. 1: PP84 scheme

ing powerful attacks based on this strategy. To guarantee security of PP84, Alice has to measure the qubit with a probability c 6= 0 by randomly choosing a basis (Z or X), as in BB84. After that she will send qubit back to Bob. He, after publicly declaring the receipt of the qubit, measures it as exactly would do if Alice had encoded it (actually, he doesn’t still know Alice’s choice). At this point Alice reveals publicly whether she measured (and in which basis) or not, and a public debate on results is settled with Bob in the former case. Notice that if Eve is not on the line a perfect “double” correlation (on the forward and backward paths) of measurement results must be found by legitimate users. The “run-by-run” protocol just described realizes a QDC, which is more demanding on security. QKD easily follows from it by deferring all public discussions at the end of the whole transmission. Let us introduce the question of security of PP84 by a simple eavesdropping strategy. Suppose Eve randomly decides a basis, Z or X, along which performing projective measurements on the traveling qubit, both on forward and backward path. She can guess the right basis with probability 1/2, and in this case she is not revealed at all. If otherwise Eve chooses the wrong basis she still

2 has a probability of 50% to evade detection at point E1 and 50% at point E2 giving in the whole a 25% of possibility to evade detection. This means that Alice and Bob’s double test reveals Eve with average probability equal to: (0 + 3/4)/2 = 3/8 = 37.5%. Remarkably, this value is greater than the one obtained in BB84 (25%) for the same eavesdropping strategy. To extend the argument to general attacks we follow the line sketched in [7] but with some relevant differences. Given the four states prepared by Bob, and Eve’s ancillary states |εi, we can write the most general operation Eve can do on traveling qubit as: √ √ ε00 i + D |1i |e ε01 i |0i |εi → |0i |ε00 i + |1i |ε01 i = F |0i |e √ √ |1i |εi → |0i |ε10 i + |1i |ε11 i = D |0i |e ε10 i + F |1i |e ε11 i 1 |+i |εi → √ [|0i (|ε00 i + |ε10 i) + |1i (|ε01 i + |ε11 i)] 2 ≡ |+i |ε++ i + |−i |ε+− i 1 |−i |εi → √ [|0i (|ε00 i − |ε10 i) + |1i (|ε01 i − |ε11 i)] 2 ≡ |+i |ε−+ i + |−i |ε−− i (2)

This strategy represents the most general attack Eve can perform in a single run, if we do not allow her to create coherence in some way between forward and backward paths; for this reason we term it “incoherent”, referring to the other possibility as “coherent”. Within this kind of attack we must recover the optimal measure Eve can do i.e. we must maximize Alice and Eve’s mutual information (IAE ) minimizing detection probability (Pd ). From transformations (2) and conditions (3) we can evaluate the probability that Eve is not detected in the forward path, after her E1 -attack:

Ancillary states are neither orthogonal nor normalized; states with tilde are instead normalized. The following conditions make the transformations (2) unitary:

Pd = (1/8){7 − 4F F ′ − F cos x − D cos y − F ′ cos x′

hε00 |ε00 i + hε01 |ε01 i ≡ F + D = 1

hε10 |ε10 i + hε11 |ε11 i ≡ D + F = 1 hε00 |ε10 i + hε01 |ε11 i = 0

he ε01 |e ε10 i = cos y

(3)

(4)

with 0 ≤ x , y ≤ π/2. Here, we don’t fix values of the parameters we introduced. In [7] symmetry arguments lead to assume F = hε00 |ε00 i = hε++ |ε++ i. This reasoning is not applicable in our case: the absence of a classical discussion during the encoding-decoding procedure prevents Eve from waiting for the basis revelation, thus forcing her to break the symmetry by deciding the measurement basis. At point E2 Eve performs an attack similar to that at point E1 , but with fresh ancillae |ηi (hence new parameters F ′ and D′ ), √ √ |0i |ηi → F ′ |0i |e η00 i + D′ |1i |e η01 i √ √ ′ ′ η10 i + F |1i |e η11 i |1i |ηi → D |0i |e |+i |ηi → |+i |η++ i + |−i |η+− i |−i |ηi → |+i |η−+ i + |−i |η−− i

(6)

Pnd (|1i) = hε11 |ε11 i = F Pnd (|+i) = hε++ |ε++ i = (1/2) [1 + F cos x + D cos y]

Pnd (|−i) = hε−− |ε−− i = (1/2) [1 + F cos x + D cos y]

Similar arguments hold for the backward path, after E2 -attack, with primed parameters replacing not-primed ones. The probability that Eve is not detected after a whole run is then the product of the two partial probabilities; by taking its complement we obtain the probability to detect Eve. Averaging it over all input states we get: − D′ cos y ′ − F F ′ cos x cos x′ − F D′ cos x cos y ′ − DF ′ cos y cos x′ − DD′ cos y cos y ′ } (7)

It is possible to show [8] that Pd takes the minimum

We can set, without loss of generality: hε00 |ε01 i = hε10 |ε11 i = hε00 |ε10 i = hε01 |ε11 i = 0. Furthermore, we specify the angles between nonorthogonal vectors as: he ε00 |e ε11 i = cos x ,

Pnd (|0i) = hε00 |ε00 i = F

(5)

At the end of transmission Eve will measure ε and η ancillae and, by comparing results, she will gain information.

d ≡ min Pd = [1 − (1 + cos x) (1 + cos x′ ) /4] /2

(8)

for F = F ′ = 1; this condition represents the best Eve can do to conceal her presence. The maximum value d = 3/8 is obtained when x = x′ = π/2, corresponding, as we will see, to Eve’s maximum information. If Alice and Bob are going to make a QDC we can evaluate the probability that Eve can steal n bits of full information without being detected as (1 − c)n /[1 − c(1 − d)]n . It turns out, for example, that if c = 1/2 Eve has a probability of about 7.8% to successfully eavesdrop 1 byte (i.e. 8 bits) of full information and about 0.6% to eavesdrop 2 bytes. Increasing the value of c increases security of the protocol, but at the expense of the transmission rate. If instead Alice and Bob are going to make a QKD then the argument is a little bit more complicated. To evaluate IAE let us write Bob’s initial state as |Ψi = P α=0,1 Cα |αi. Now, suppose Alice performs identity between the two Eve’s attacks: X X E I |Ψi |εi |ηi →1 Cα (9) |βi |εαβ i |ηi → α

X α

Cα

X β

β

E

|βi |εαβ i |ηi →2

X α

Cα

X β,γ

|γi |εαβ i |ηβγ i

The ancillary states involved in this operation are: |ε00 , η00 i , |ε00 , η01 i , |ε01 , η10 i , |ε01 , η11 i |ε10 , η00 i , |ε10 , η01 i , |ε11 , η10 i , |ε11 , η11 i

(10)

3 If, instead, Alice performs a flip we have: X X E iY |Ψi |εi |ηi →1 Cα |βi |εαβ i |ηi → α

X

Cα

X

Cα

α

α

1 0.8

β

X

(−1)

X

(−1)

β+1

β

β,γ

I

β+1

E

|β ⊕ 1i |εαβ i |ηi →2  |γi |εαβ i η(β⊕1)γ

0.6 (11)

0.4 0.2

and ancillary states involved are: |ε00 , η10 i , |ε00 , η11 i , |ε01 , η00 i , |ε01 , η01 i

|ε10 , η10 i , |ε10 , η11 i , |ε11 , η00 i , |ε11 , η01 i

0 (12)

To acquire information from states (10) and (12) Eve must measure both her ancillae. Keeping in mind orthogonality relations (3) and following, we see that the best way to do that is to distinguish orthogonal subspaces before, and then nonorthogonal states within them. The probability to correctly distinguish between two states with scalar product cos x is (1 + sin x) /2 [9]. Observing states (10) and (12) we can notice that if Eve mistakes to identify her first ancilla (ε states) then she guesses wrong Alice’s operation, since she flips from states (10) to (12) or viceversa. The same is true if she guesses right ε state but mistakes η state. Nevertheless, if she mistakes twice, then with the first error she misinterprets (10) with (12) and with the second error she compensates the first, eventually guessing right Alice’s operation. This lead to a lengthy expression of IAE as a function of the six parameters describing ancillae states, but it can be simplified recalling that Eve wants to keep the Pd as low as possible, and so condition F = F ′ = 1 applies. In this case Eve’s strategy is optimal and IAE becomes: IAE = 1 − h [(1 + sin x sin x′ ) /2]

(13)

where h(·) indicates the Shannon binary entropy [10]. We are now in the position to compare relevant quantities we have calculated, in particular Eq.(8) for Pd and Eq.(13) for IAE . Unfortunately, both equations are functions of x and x′ thus preventing us to write IAE as a function of Pd . However, the following lemma holds: Lemma.The optimal Eve incoherent attack consists in a balanced one for which x = x′ . This lemma can be justified with the following qualitative argument [8]. The orthogonality Eve imposes on her ancillae is somewhat related to the information she can extract from the qubit: the more orthogonal they are, the higher is the information gained. If she sets x > x′ , the ancillae ε will be more orthogonal than ancillae η, and this entails a loss of information when going from the forward to the backward path. If she sets x < x′ we can argue the reverse. The above lemma allows us to write Pd (8) as: 2

d = (1/2) − (1/8) (1 + cos x)

(14)

0

0.05 0.1 0.15 0.2 0.25 0.3 0.35

d FIG. 2: PP84 Security: Information vs Detection Probability. The descent curve represents Alice and Bob mutual information IAB . The crescent curves represent Alice and bound Eve mutual informations (IAE dashed line, IAE solid line).

By inverting this relation and substituting it into Eq.(13) we can express the information IAE as function of Pd : nh i. o √ IAE = 1 − h 2 − (2 1 − 2d − 1)2 2 (15) It is easy to see that the maximum of information, IAE = 1, corresponds to a detection probability d = 37.5%. This implies that projective attacks described above are a kind of optimal incoherent attacks. IAE as a function of Pd is shown in Fig.2. For a QKD to be secure a comparison between Alice and Eve’s mutual information and Alice and Bob’s one must be settled; we must then evaluate the amount of information Bob has access to. Also in these calculations we must set F = F ′ = 1, because Bob receives a perturbed state according to Eve’s choice of minimizing the Pd . So, with this condition, the probability that Bob makes a right guess on Alice’s transformation after preparing |+i or |−i, and Eve measures in the basis |ε0,1 i , |η0,1 i, is P0,1 = (1 + cos x cos x′ ) /2. The probability that Bob makes a right guess on Alice’s transformation, after preparing the same states and Eve measures in the basis |ε+,− i , |η+,− i is P+,− = 1. Analogous results hold if Bob prepares states |0i or |1i. Averaging the information corresponding to P0,1 and to P+,− , and using the above Lemma we get: 
 IAB = 1 − (1/2)h 1 + cos2 x /2 (16) Eq.(16) can be written as function of Pd by inverting, as for IAE , Eq.(14). The result is shown in Fig.2. We notice that minimum Bob’s information is 1/2, because in half cases Eve doesn’t perturb the channel at all. Nevertheless, if we had used symmetry conditions discussed after Eq.(4) we would have obtained IAE going to zero. The intersection of IAB and IAE determines the safety of

4 the protocol for QKD. It results that the PP84 is secure against a general incoherent attack provided d < ∼ 23%. So far we have considered incoherent attacks and evaluated relevant quantities like detection probability, Eve’s information and Bob’s information. What is about coherent attacks? The most general coherent attack can be written as a transformation on 64 states of the form: |0i |ε00 i |ηi → |0i [|ε00 i |η000000 i + |ε01 i |η001000 i + |ε10 i |η010000 i + |ε11 i |η011000 i] + + |1i [|ε00 i |η100000 i + |ε01 i |η101000 i

+ |ε10 i |η110000 i + |ε11 i |η111000 i] |1i|ε00 i|ηi → . . . .. .

(17)

because the attack at point E2 includes also the resulting state of the first ancillae. This can create coherence between forward path and backward one, and Eve can take advantage of it. Despite of that the most general expression for detection probability remains the one found for incoherent attacks, given by Eq.(14), because it is obtained when Alice decides to measure, and her measure breaks any coherence Eve could have created. Moreover, we notice that the first (“translucid” [11]) attack at point E1 is the most general Eve can perform on the forward path, and so it must be the same for any kind of complete attack. This arguments permit us to bound the information Eve can acquire in any attack, coherent or not. We simply put together a Pd equal to d and a value for IAE equal to the one Eve would obtain by setting bound x′ = π/2 in Eq.(13): IAE = 1 − h[(1 + sin x)/2]. It is clear that we have overestimated Eve’s potential information gain or, the same, underestimated Pd . Also this result is shown in Fig.2. We obtain in this way the very lower bound for security of PP84, namely d < ∼ 18%. Notice that it is still greater than the one found in similar circumstances (individual attacks on a lossless channel) for BB84 (d < ∼ 15%) [7]. We believe that these results, together with the introductory remarks on attacks based on classical information exchange during the encodingdecoding procedure, demonstrate the safety of PP84. We would also like to briefly describe the behavior of PP84 when losses are present on the quantum channel. Two aspects of this question must be addressed: security against losses-based attacks and efficiency of transmission. As far as the former is concerned the risk is that an almighty Eve could substitute an imperfect channel with a perfect one and conceal her attacks behind losses interpreted as natural by Alice and Bob. This possibility exploits the lack of symmetry of Alice control ([5], [12]), and is not effective in our case. We have also considered more subtle attacks based on a kind of “quantum nondemolition strategy” by Eve, but Alice and Bob can always detect them by comparing losses rate pertaining to control mode runs and encoding mode ones.

As far as efficiency of transmission is concerned the implicit assumption is that losses are not due to an eavesdropper, but only to an imperfect channel. Accordingly to Ref.[13] the theoretical efficiency of a cryptographic protocol for QKD is given by the formula E = bs / (qt + bt ), where bs is the expected number of secret bits received by Bob, qt is the number of transmitted qubits on the quantum channel, and bt is the number of transmitted bits on the classical channel. Since in PP84 no classical information is needed in the encodingdecoding procedure we have bt = 0, that entails E = 1 (while for BB84 E = 1/4). As far as practical efficiency is concerned we refer to [14]. In our protocol a qubit, represented for instance by the polarization of a photon, is traveling for a distance 2L, being L the separation between Alice and Bob. If P is the probability that a photon is transmitted over the distance L, we have a total probability P 2 to transmit it over 2L. The practical efficiency can then be evaluated as E ′ = EP 2 . For BB84 the photon only travel for a distance L, thus E ′ = P/4. Comparing the two protocols, we obtain that if P ≥ 25% then the most efficient scheme is just the PP84. In conclusion, we have presented a cryptographic protocol which embeds peculiarities of BB84 and PP protocols, allowing direct communication as well as key distribution. It has been proved asymptotically secure in the former case and secure against general attacks in the latter case, admitting a greater quantum bit error rate with respect to other known protocols. It is more efficient than other schemes when losses are taken into account, whilst allowing easier experimental realization. Acknowledgements. We acknowledge useful discussions with G. Di Giuseppe and S. Pirandola. One of us (M.L.) would like to thank his parents for funding.

[1] K. Bostr¨ om and T. Felbinger, Phys. Rev. Lett. 89, 187902 (2002). [2] C. H. Bennett and S. J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992). [3] C. H. Bennett and G. Brassard, Proc. Int. Conference on Computers, Systems and Signal Processing (Indian Institute of Science, Bangalore, India, 1984). [4] Qing-Yu Cai, Phys. Rev. Lett. 91, 109801 (2003). [5] A. Wojcik, Phys. Rev. Lett. 90, 157901 (2003). [6] A deterministic communication protocol as a special case of BB84 has recently been presented by Qing-Yu Cai and Bai-Wen Li, Chin. Phys. Lett. 21, 601 (2004). [7] N. Gisin, et al., Rev. Mod. Phys. 74, 145 (2002). [8] The detailed calculations will be presented elsewhere for space reasons. [9] A. Peres, Quantum Theory: Concepts and Methods, (Kluwer, Dordrecht, 1993). [10] M. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information (Cambridge Univ. Press 2000). [11] A. K. Ekert, et al., Phys. Rev. A 50, 1047 (1994) [12] A. Wojcik, arXiv: quant-ph/0405035

5 [13] A. Cabello, Phys. Rev. Lett. 85, 5635 (2000) [14] I. P. Degiovanni, et al., Phys. Rev. A 69, 032310 (2004).